nanog mailing list archives
Re: ISP port blocking practice
From: Robert Bonomi <bonomi () mail r-bonomi com>
Date: Wed, 8 Sep 2010 00:05:04 -0500 (CDT)
From nanog-bounces+bonomi=mail.r-bonomi.com () nanog org Tue Sep 7 15:15:13 2010 Date: Mon, 6 Sep 2010 19:55:06 -0500 From: Brett Frankenberger <rbf+nanog () panix com> To: deleskie () gmail com Subject: Re: ISP port blocking practice Cc: NANOG list <nanog () nanog org> On Mon, Sep 06, 2010 at 10:38:15PM +0000, deleskie () gmail com wrote:Having worked in past @ 3 large ISPs with residential customer pools I can tell you we saw a very direct drop in spam issues when we blocked port 25.No one is disputing that. Or, at least, I'm not disputing that. I'm questioning whether or not the *Internet* has experienced any decrease in aggregate spam as a result of ISPs blocking port 25. Did the spam you blocked disappear, or did it all get sent some other way?
_I_ can't say about 'some other way', but, on average, between 1/4 and 1/3 of the all the incoming spam at my personal server is 'direct to MX', that would have been been, at least 'slowed a little bit' by "classical, dumb" port 25 blocking. Now, a *smart* port 25 enforcer -- where traffic outbound to port 25 was selectively NATted into a 'data sink' -- something that replies "200" to everything up to the DATA command, and _always_ gives a 5xy response to that (with text like "you must send outgoing mail though our server'), WOULD kill the traffic dead. Or, at least, force the spamware writers to start paying attention to SMTP response codes, *IF* they wanted to count deliveries. All available evidence says that -most- spammers/spamware/ botnets pay no attention to such -- as established by the effectiveness of GreetPause, and greylisting. It is worth noting that this kind of 'smart' port 25 blocking would also automatically identify 'infected' machines, and by consulting the records of who is corrently on that IP address, tell _which_customer_ is has the infected machine, *AND* notify the customer of their problem. all without any need for any (expensive) human involvement. Aside, if spamware _had_ to 'obey the rules' of SMTP transactions, regarding reading reply codes, that alone would probalbly reduce by 50%, if not more, the aggregate sending _capacity_ of the world's spam sources. Whether that would make much of a difference, I don''t know -- depnds on how far existing 'capacity' exeeeds existing usage/demand.133-136 140 142-145 147
Current thread:
- Re: ISP port blocking practice, (continued)
- Re: ISP port blocking practice Suresh Ramasubramanian (Sep 06)
- Re: ISP port blocking practice Randy Bush (Sep 07)
- Re: ISP port blocking practice John Levine (Sep 09)
- Re: ISP port blocking practice Owen DeLong (Sep 05)
- RE: ISP port blocking practice Brian Johnson (Sep 13)
- Re: RE: ISP port blocking practice Joshua William Klubi (Sep 13)
- Re: ISP port blocking practice Franck Martin (Sep 02)
- Re: ISP port blocking practice Owen DeLong (Sep 03)